Analysis
-
max time kernel
148s -
max time network
125s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
05-12-2020 15:19
Static task
static1
Behavioral task
behavioral1
Sample
Document for FEDEX clearance.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Document for FEDEX clearance.exe
Resource
win10v20201028
General
-
Target
Document for FEDEX clearance.exe
-
Size
933KB
-
MD5
e47bfff65206f25107f97232d1837eee
-
SHA1
ee1595672da926e1c5630ce961a22071a2f46179
-
SHA256
0771791b95c7869be68dc8225a8763158d758b73cd83869f55188cd0ec98cbac
-
SHA512
9fb9176ee7455e812e1c0a353574dae18d91c793c997423e680a04c33d1beac8a0fce08784fb7d29e1ed50c268de015196f82e5f2e7344df375e0aef53be9ae9
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.lokalboyz.com - Port:
587 - Username:
oc@lokalboyz.com - Password:
Gllm9vjy
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/2016-4-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/2016-5-0x00000000004373EE-mapping.dmp family_agenttesla behavioral1/memory/2016-7-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/2016-6-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Document for FEDEX clearance.exedescription pid process target process PID 1424 set thread context of 2016 1424 Document for FEDEX clearance.exe Document for FEDEX clearance.exe -
Drops file in Windows directory 1 IoCs
Processes:
Document for FEDEX clearance.exedescription ioc process File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new Document for FEDEX clearance.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Document for FEDEX clearance.exepid process 2016 Document for FEDEX clearance.exe 2016 Document for FEDEX clearance.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Document for FEDEX clearance.exedescription pid process Token: SeDebugPrivilege 2016 Document for FEDEX clearance.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Document for FEDEX clearance.exepid process 2016 Document for FEDEX clearance.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
Document for FEDEX clearance.exedescription pid process target process PID 1424 wrote to memory of 2016 1424 Document for FEDEX clearance.exe Document for FEDEX clearance.exe PID 1424 wrote to memory of 2016 1424 Document for FEDEX clearance.exe Document for FEDEX clearance.exe PID 1424 wrote to memory of 2016 1424 Document for FEDEX clearance.exe Document for FEDEX clearance.exe PID 1424 wrote to memory of 2016 1424 Document for FEDEX clearance.exe Document for FEDEX clearance.exe PID 1424 wrote to memory of 2016 1424 Document for FEDEX clearance.exe Document for FEDEX clearance.exe PID 1424 wrote to memory of 2016 1424 Document for FEDEX clearance.exe Document for FEDEX clearance.exe PID 1424 wrote to memory of 2016 1424 Document for FEDEX clearance.exe Document for FEDEX clearance.exe PID 1424 wrote to memory of 2016 1424 Document for FEDEX clearance.exe Document for FEDEX clearance.exe PID 1424 wrote to memory of 2016 1424 Document for FEDEX clearance.exe Document for FEDEX clearance.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Document for FEDEX clearance.exe"C:\Users\Admin\AppData\Local\Temp\Document for FEDEX clearance.exe"1⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Document for FEDEX clearance.exe"C:\Users\Admin\AppData\Local\Temp\Document for FEDEX clearance.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cchMD5
7678feb096acc948b408a3e8c1147e8b
SHA1e4294e44c38ba32e7a720a04f9c65d9939e28c6a
SHA256be8d2c55ca34f49fa13510680e63cc100401d9f8c6cb38720ba8ef028e7fe9d8
SHA5124c6c875f829d8d9bfd905053bd520f6bb2186366a1e754baeec95168becaa24a5e7f53a443b9d53cea4edee4b15d05dfbf32e1b146a4258039350128eb125784
-
memory/2016-4-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/2016-5-0x00000000004373EE-mapping.dmp
-
memory/2016-7-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/2016-6-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB